Change log for unzip package in Debian
| 1 → 39 of 39 results | First • Previous • Next • Last |
unzip (6.0-28) unstable; urgency=medium * Drop debian/source/lintian-overrides, obsolete since version 6.0-18. * Update URI for Info-ZIP license in copyright file. * Update standards version to 4.6.2. * Run wrap-and-sort. * Update Homepage. -- Santiago Vila <email address hidden> Sun, 19 Feb 2023 19:02:00 +0100
| Published in bullseye-release |
unzip (6.0-26+deb11u1) bullseye-security; urgency=medium
* Apply upstream patch for CVE-2022-0529 and CVE-2022-0530.
- Fix null pointer dereference on invalid UTF-8 input.
- Fix wide string conversion in process.c.
Closes: #1010355.
-- Santiago Vila <email address hidden> Sun, 07 Aug 2022 01:45:00 +0200
unzip (6.0-27) unstable; urgency=medium
* Apply upstream patch for CVE-2022-0529 and CVE-2022-0530.
- Fix null pointer dereference on invalid UTF-8 input.
- Fix wide string conversion in process.c.
Closes: #1010355.
-- Santiago Vila <email address hidden> Tue, 02 Aug 2022 19:05:00 +0200
| Published in buster-release |
unzip (6.0-23+deb10u2) buster; urgency=medium * Two more patches from Mark Adler for CVE-2019-13232. Closes: #963996. - Fix bug in UZbunzip2() that incorrectly updated G.incnt. - Fix bug in UZinflate() that incorrectly updated G.incnt. -- Santiago Vila <email address hidden> Sun, 10 Jan 2021 16:12:00 +0100
unzip (6.0-26) unstable; urgency=medium
* Two more patches from Mark Adler for CVE-2019-13232. Closes: #963996.
- Fix bug in UZbunzip2() that incorrectly updated G.incnt.
- Fix bug in UZinflate() that incorrectly updated G.incnt.
* Avoid weird zipgrep errors when no members are present.
Thanks to Kevin Locke. Closes: #972233.
* Update dependency on debhelper.
-- Santiago Vila <email address hidden> Sun, 10 Jan 2021 15:34:00 +0100
| Published in stretch-release |
unzip (6.0-21+deb9u2) stretch; urgency=medium
* Fix incorrect parsing of 64-bit values in fileio.c. Closes: #929502.
* Apply three patches by Mark Adler to fix CVE-2019-13232.
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries.
Bug discovered by David Fifield. Closes: #931433.
- Do not raise a zip bomb alert for a misplaced central directory.
Reported by Peter Green. Closes: #932404.
-- Santiago Vila <email address hidden> Mon, 05 Aug 2019 18:10:06 +0200
| Superseded in buster-release |
unzip (6.0-23+deb10u1) buster; urgency=medium
* Apply three patches by Mark Adler to fix CVE-2019-13232.
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries.
Bug discovered by David Fifield. Closes: #931433.
- Do not raise a zip bomb alert for a misplaced central directory.
Reported by Peter Green. Closes: #932404.
-- Santiago Vila <email address hidden> Tue, 30 Jul 2019 22:26:10 +0200
unzip (6.0-25) unstable; urgency=medium
* Apply one more patch by Mark Adler:
- Do not raise a zip bomb alert for a misplaced central directory.
This should allow Firefox to build again. Closes: #932404.
Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.
-- Santiago Vila <email address hidden> Sat, 27 Jul 2019 18:01:36 +0200
unzip (6.0-24) unstable; urgency=medium
* Apply two patches by Mark Adler:
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries. Closes: #931433.
Bug discovered by David Fifield. For reference, this is CVE-2019-13232.
-- Santiago Vila <email address hidden> Thu, 11 Jul 2019 18:03:34 +0200
unzip (6.0-23) unstable; urgency=medium
* Fix lame code in fileio.c which parsed 64-bit values incorrectly.
Thanks to David Fifield for the report. Closes: #929502.
-- Santiago Vila <email address hidden> Wed, 29 May 2019 00:24:08 +0200
| Superseded in stretch-release |
unzip (6.0-21+deb9u1) stretch; urgency=medium
* Fix buffer overflow in password protected ZIP archives. Closes: #889838.
Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
-- Santiago Vila <email address hidden> Wed, 17 Apr 2019 21:23:40 +0200
unzip (6.0-22) unstable; urgency=medium
* Fix buffer overflow in password protected ZIP archives. Closes: #889838.
Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
* Rules-Requires-Root: no.
-- Santiago Vila <email address hidden> Sat, 09 Feb 2019 18:12:00 +0100
| Published in jessie-release |
unzip (6.0-16+deb8u3) jessie; urgency=medium
* Update patch 12-cve-2014-9636-test-compr-eb to follow revised
patch "unzip-6.0_overflow3.diff" from mancha (patch author).
* Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
Patch by the author.
* Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
Patch by the author.
-- Santiago Vila <email address hidden> Sat, 28 Jan 2017 14:03:06 +0100
unzip (6.0-21) unstable; urgency=medium
* Rename all debian/patches/* to have .patch ending.
* Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
patch "unzip-6.0_overflow3.diff" from mancha (patch author).
Update also to follow upstream coding style.
* Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
in the hope that it's not present anymore in GCC-6.
* Allow source to be cross-built. Closes: #836051.
* Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
* Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
Patch by the author.
* Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
Patch by the author.
-- Santiago Vila <email address hidden> Sun, 11 Dec 2016 21:03:30 +0100
| Published in wheezy-release |
unzip (6.0-8+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Update 16-fix-integer-underflow-csiz-decrypted patch.
Fix regression in handling 0-byte files. (Closes: #804595)
-- Salvatore Bonaccorso <email address hidden> Mon, 09 Nov 2015 21:02:00 +0100
| Superseded in jessie-release |
unzip (6.0-16+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Update 16-fix-integer-underflow-csiz-decrypted patch.
Fix regression in handling 0-byte files. (Closes: #804595)
-- Salvatore Bonaccorso <email address hidden> Mon, 09 Nov 2015 20:49:54 +0100
unzip (6.0-20) unstable; urgency=high
* Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
regression on encrypted 0-byte files. Closes: #804595.
Thanks to Marc Deslauriers for the fix in Ubuntu.
-- Santiago Vila <email address hidden> Mon, 09 Nov 2015 22:15:32 +0100
unzip (6.0-19) unstable; urgency=medium
* Fix infinite loop when extracting password-protected archive.
This is CVE-2015-7697. Closes: #802160.
* Fix heap overflow when extracting password-protected archive.
This is CVE-2015-7696. Closes: #802162.
* Fix additional unsigned overflow on invalid input.
* Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
from which this upload is mainly derived.
-- Santiago Vila <email address hidden> Thu, 22 Oct 2015 12:12:46 +0200
| Superseded in wheezy-release |
unzip (6.0-8+deb7u3) wheezy; urgency=medium
* Apply the following patches from jessie:
- Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
Reported by Jeff King. Patch by Andreas Schwab.
- Increase size of cfactorstr array in list.c to avoid a buffer
overflow problem. Closes: #741384.
- Fix zipinfo crash where a value <= 25.5 was printed in a buffer
having room only for values < 10.0. Closes: #744212.
-- Santiago Vila <email address hidden> Sun, 21 Jun 2015 11:00:00 +0200
unzip (6.0-18) unstable; urgency=medium
* Ship a debian/copyright file in source package instead of generating
it a build time. Closes: #795567.
-- Santiago Vila <email address hidden> Sun, 16 Aug 2015 23:34:42 +0200
unzip (6.0-17) unstable; urgency=medium
* Switch to dh.
* Remove build date embedded in binary to make the build reproducible.
Thanks to Jérémy Bobbio <email address hidden>. Closes: #782851.
-- Santiago Vila <email address hidden> Sun, 17 May 2015 12:41:52 +0200
unzip (6.0-16) unstable; urgency=medium
* Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
the right way (patch by the author). Closes: #775640.
* Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
* Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
file from the author.
-- Santiago Vila <email address hidden> Fri, 30 Jan 2015 22:16:08 +0100
unzip (6.0-15) unstable; urgency=medium
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
-- Santiago Vila <email address hidden> Thu, 29 Jan 2015 18:39:52 +0100
| Superseded in wheezy-release |
unzip (6.0-8+deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Apply upstream fix for three security bugs.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
(Closes: #773722)
-- Salvatore Bonaccorso <email address hidden> Fri, 26 Dec 2014 20:04:35 +0100
unzip (6.0-14) unstable; urgency=medium
* Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
Closes: #773785.
-- Santiago Vila <email address hidden> Tue, 30 Dec 2014 22:17:12 +0100
unzip (6.0-13) unstable; urgency=medium
* Apply upstream fix for three security bugs. Closes: #773722.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
-- Santiago Vila <email address hidden> Mon, 22 Dec 2014 19:16:10 +0100
unzip (6.0-12) unstable; urgency=medium
* Fix zipinfo crash where a value <= 25.5 was printed in a buffer
having room only for values < 10.0. The integral part is now printed
at attribs[11] using %2u instead of attribs[12] using %u.
This way the output is the same as before for values < 10.
Authors tell me that the next unzip release will have a fix
like this, at least for the Unix case. Closes: #744212.
-- Santiago Vila <email address hidden> Thu, 24 Apr 2014 23:39:38 +0200
unzip (6.0-11) unstable; urgency=medium
* Lowered mime priority to 3, somewhat below 5 which is file-roller
default value. Closes: #727306.
* Increase size of cfactorstr array in list.c to avoid a buffer
overflow problem. Closes: #741384.
-- Santiago Vila <email address hidden> Mon, 17 Mar 2014 17:38:50 +0100
unzip (6.0-10) unstable; urgency=low
* Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
Reported by Jeff King. Patch by Andreas Schwab.
* Added recommended targets build-arch and build-indep.
* Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
the last version was a dummy transitional package.
* The copyright file is generated from copyright.in at build time.
Added lintian override for no-debian-copyright.
-- Santiago Vila <email address hidden> Mon, 14 Oct 2013 18:48:40 +0200
unzip (6.0-9) unstable; urgency=low
* Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are
displayed correctly. Reported by Slavek Banko. Closes: #682682.
* Use the right strip command when cross-building. Closes: #695141.
-- Santiago Vila <email address hidden> Sun, 24 Feb 2013 17:12:00 +0100
unzip (6.0-8) unstable; urgency=low
* Made unzip -X to actually restore uid/gid information.
Closes: #689212. Thanks to Axel Scheepers for the report.
* Disabled memcpy, as it is being used on overlapping buffers,
leading to data corruption. Closes: #694601.
Thanks to M Joonas Pihlaja for the report.
-- Santiago Vila <email address hidden> Wed, 28 Nov 2012 12:41:34 +0100
unzip (6.0-7) unstable; urgency=low * Added Multi-Arch: foreign. Closes: #678812. -- Santiago Vila <email address hidden> Sat, 30 Jun 2012 14:17:42 +0200
unzip (6.0-6) unstable; urgency=low * Added hardening flags. Closes: #656268. -- Santiago Vila <email address hidden> Sun, 01 Apr 2012 00:01:40 +0200
unzip (6.0-5) unstable; urgency=low * Handle the PKWare verification bit of internal attributes. Patch taken from 6.10 beta. Thanks to sms. Closes: #630078. -- Santiago Vila <email address hidden> Fri, 01 Jul 2011 19:06:08 +0200
unzip (6.0-4) unstable; urgency=low * Added homepage field to control file. * Switch to 3.0 (quilt) source format. * Support cross-build. -- Santiago Vila <email address hidden> Sun, 21 Feb 2010 17:01:00 +0100
unzip (6.0-3) unstable; urgency=low * Added "set -e" to postinst and postrm. -- Santiago Vila <email address hidden> Tue, 09 Feb 2010 23:53:42 +0100
unzip (6.0-2) unstable; urgency=low
* Do not ignore errors from make clean (lintian warning)
* Remove .comment section from executables (lintian warning).
* Added mime stuff so that mutt is able to see the contents of a zipfile
using "unzip -l". Closes: #474538.
-- Santiago Vila <email address hidden> Mon, 08 Feb 2010 18:44:00 +0100
unzip (6.0-1) unstable; urgency=low
* New upstream release. Closes: #496989.
* Enabled new Unicode support. Closes: #197427. This may or may not work
for your already created zipfiles, but it's not a bug unless they were
created using the Unicode feature present in zip 3.0.
* Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format,
as that's the only available one which makes sense. Closes: #312886.
* Enabled new bzip2 support. Closes: #426798.
* Exit code for zipgrep should now be the right one. Closes: #441997.
* The reason why a file may not be created is now shown. Closes: #478791.
* Summary of changes in this version not being the debian/* files:
- Manpages in section 1, not 1L.
- Branding patch. UnZip by Debian. Original by Info-ZIP.
- Always #include <unistd.h>. Debian GNU/kFreeBSD needs it.
-- Santiago Vila <email address hidden> Fri, 08 May 2009 20:02:40 +0200
unzip (5.52-12) unstable; urgency=medium
* Fixed stack underflow in unshrink.c. Closes: #454037.
Thanks to Christian Spieler for the patch.
-- Santiago Vila <email address hidden> Sat, 26 Jul 2008 16:51:38 +0200
| 1 → 39 of 39 results | First • Previous • Next • Last |
